https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214936#M3784 <P>Are you seeing / experiencing this on R81.20 or some other version?</P> <P>Are all gateways under the same management and what is the topology, is either gateway DAIP?</P> Tue, 21 May 2024 22:32:22 GMT Chris_Atkinson 2024-05-21T22:32:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214927#M3781 <P>How to disable NAT-T for a specific VPN Tunnel</P><P>Good morning team, I need support because I want to disable NAT-T port 4500 for a specific VPN S2S, as I am having problems with this VPN that is Check point communication with Check point, but every so often we see interruptions and fall of the VPN, at the level of logs we have only found that they are negotiating through NAT-T port 4500 and not throught port 500 which is normal.</P><P>I have read a lot of documentation and checkmates but they all say the same thing:</P><P>1- NAT-T communication is usually initiated by the peer and checkpoint is only allowed to accept the traffic or not.<BR />2- NAT-T can be disabled but it is a global configuration that can affect all VPN's.<BR />3- NAT-T can be changed in the gateway but I understand that this still affects all VPNs connected to this gateway.</P><P>regards</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-05-21_12h07_54.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/25826i35A28A08AF269576/image-size/medium?v=v2&amp;px=400" role="button" title="2024-05-21_12h07_54.png" alt="2024-05-21_12h07_54.png" /></span></P><P> </P><P> </P> Tue, 21 May 2024 18:11:17 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214927#M3781 Ks07 2024-05-21T18:11:17Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214934#M3782 <P>In every VPN community there is option to disable NAT for this community. Not sure if this is valid also for NAT-T traffic.</P> <P>If you see issue with NAT-T, I would suggest to contact TAC and investigate it.</P> <P>NAT-T is used because there is some NAT device in between 2 peers. In order to keep connection in NAT device connection table, Check Point firewall is using NAT-T as keepalive packets every 10 seconds (even if there is no interesting traffic).</P> Tue, 21 May 2024 21:20:03 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214934#M3782 JozkoMrkvicka 2024-05-21T21:20:03Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214935#M3783 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1702">@JozkoMrkvicka</a>&nbsp;described it perfectly.</P> <P>Andy</P> Tue, 21 May 2024 22:30:54 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214935#M3783 the_rock 2024-05-21T22:30:54Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214936#M3784 <P>Are you seeing / experiencing this on R81.20 or some other version?</P> <P>Are all gateways under the same management and what is the topology, is either gateway DAIP?</P> Tue, 21 May 2024 22:32:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214936#M3784 Chris_Atkinson 2024-05-21T22:32:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214937#M3785 <P>Great call about DAIP.</P> Tue, 21 May 2024 22:43:20 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/214937#M3785 the_rock 2024-05-21T22:43:20Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/215117#M3786 <P>NAT-T is normal for a Tunnel if the Gateway is hidden behind a Device that controls the Public IP address.</P> <P>With Check Point, there is a Hash Value for NAT-T detection, and if this Hash returns different, then this is a indication that the Tunnel has been NATed behind some other device, thus causing the Tunnel to be made with NAT-T.</P> <P>Thus if NAT-T is needed, then NAT-T should not be modified.</P> <P>Also, make sure that the Interface you are using for a VPN Tunnel is defined as External interface.</P> <P>If you are experiencing Outages,<BR />Please enable VPN debugs and open a TAC case for further investigation.<BR /><BR /><BR /><BR /></P> Thu, 23 May 2024 17:36:57 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/215117#M3786 SenpaiNoticed_U 2024-05-23T17:36:57Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/215118#M3787 <P>Check &nbsp;SK177823 to see if that helps. &nbsp;There was a change in a set of Jumbo HFAs a short time ago.</P> <P><A href="https://support.checkpoint.com/results/sk/sk177823" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk177823</A></P> <P>&nbsp;</P> <P>Edit:</P> <P>Likewise SK32664 has some related info:</P> <P><A href="https://support.checkpoint.com/results/sk/sk32664" target="_blank">https://support.checkpoint.com/results/sk/sk32664</A></P> Thu, 23 May 2024 17:56:27 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/How-to-disable-NAT-T-for-a-specific-VPN-Tunnel/m-p/215118#M3787 Duane_Toler 2024-05-23T17:56:27Z